Tanium’s Chris Hallenbeck explains how converged endpoint management helps overcome obstacles to endpoint visibility.

Tanium’s Chris Hallenbeck explains how converged endpoint management helps overcome obstacles to endpoint visibility.

Dark Reading

Thanks to the pandemic and working from home, endpoint visibility remains one of the biggest challenges for infosec professionals. Tanium’s Chris Hallenbeck explains how converged endpoint management helps overcome those obstacles. He also addresses the reality of siloed systems and how security professionals can overcome the challenges with integrating them. And Hallenbeck discusses what organizations can do to maximize endpoint visibility in order to keep their users and their data secure.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Editors' Choice

Robert Lemos, Contributing Writer, Dark Reading

Jai Vijayan, Contributing Writer, Dark Reading

Ericka Chickowski, Contributing Writer, Dark Reading

Joshua Goldfarb, Fraud Solutions Architect - EMEA and APCJ, F5

Tanium: Taking A Deeper Cut At Converged Endpoint Management

Pentera’s Omer Zucker outlines exposure management’s biggest challenges in closing security gaps.

Exposure management is a combination of attack surface mapping, vulnerability assessment, and validation, and seeks to keep networks more secure. Pentera’s Omer Zucker outlines exposure management’s biggest challenges in closing security gaps. He also describes how security pros can combine attack surface mapping, vulnerability assessment, and validation to enhance their security posture. And Zucker offers some tips for getting started with exposure management.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Pentera Helps Enterprises Reduce Their Security Exposure

Threat intel has changed over the years and that’s changed how customers use it, says Matt Olney, director of Talos threat intelligence and interdiction at Cisco.

Threat intel has changed over the years and that’s changed how customers use it, says Matt Olney, director of Talos threat intelligence and interdiction at Cisco.

Dark Reading

Threat intel has changed over the years and that’s changed how customers use it, says Matt Olney, director of Talos threat intelligence and interdiction at Cisco. He discusses new ransomware dangers and what users can do to protect themselves. And he describes in detail how Cisco intelligence was used to respond to a recent large-scale security event. He closes with some tips about how to better protect your organization against ransomware.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Cisco: All Intelligence is Not Created Equal

Replacing passwords is not as easy as people think, but there is hope.

Although analysts have predicted the death of passwords for many years, passwords are still the predominant authentication credential used for many applications and IT systems. The reason for this is simple — everyone knows how passwords work, which makes them more convenient to use.

As a result, 80% of all company data breaches and hacking incidents result from stolen or compromised passwords. It's not hard to see why. The average user has more than 90 online accounts — almost all requiring a password that more than half of those same users reuse. And with a record 1,862 data breaches in 2021 at an average cost of $4.24 million per breach, it's no wonder that more than 555 million passwords are available on the Dark Web.

Passwords are proliferating across our digital world and getting stolen in record numbers every year, but it doesn't have to be this way.

**The Twin Dilemma of Security vs. Convenience**

Enterprises can address this problem today. In fact, many are already enhancing existing passwords with a second factor — for example, sending an out-of-band code via SMS or email. The technology exists for even stronger login credentials, but these often significantly impact the user experience, which hurts adoption with internal users (employees) or retention with external users (consumers).

Organizations are faced with a complex balancing act: They need to improve their authentication process so that login credentials provide the needed security while being easy to use. But those credentials also have to be difficult for hackers to steal or compromise. Oh, and let's not forget that this enhanced authentication mechanism must be cost effective, too.

Over the years, many types of login credentials emerged that were effective in one or two areas but fell short in the others. But, there is hope.

**Size and Scope**

The size and scope of the problem must also be taken into consideration. For large enterprises, these challenges are multiplied because of the sheer number of applications running across their hybrid environments, from the cloud to the mainframe. You hear a lot about the cloud, but how often do you hear someone mention the mainframe? Did you know that mainframes handle 90% of all credit card transactions, or that mainframes handle 68% of world's production IT workloads? For many of our strategic customers, the mainframe is more mission critical than anything running in the cloud.

A truly effective identity security solution needs to cover all aspects of an organization's infrastructure — everything from the mainframe to distributed servers, from virtualized to multicloud environments, managing access across business applications, privileged accounts, and everything in between.

**The Convergence of Technology and Standards**

The missing link in efforts to improve this identity security challenge is a failure to recognize that replacing the password is not as easy as people think. But there are several trends that may help accelerate the death of the password once and for all.

The first is the smartphone. According to Ericsson, the number of smartphone users in the world today is about 6.6 billion, which translates to almost 84% of the world's population. These devices are not only ubiquitous but are also responsible for teaching users how to use their fingerprint to unlock their devices and take a selfie. Biometrics is not an abstract concept anymore — it is becoming familiar even to people who struggle to use a computer.

The second trend is one of standardization, specifically the growing support for FIDO or Open ID Connect. These new security standards help facilitate the exchange of identity and authentication information between an identity provider and an application. These standards eliminate the need for passwords and replace them with passwordless techniques, such as biometrics (a single finger swipe on your phone). However, there are many mainframe and web applications that were never designed with support for these standards and therefore cannot leverage passwordless authentication — that is, not without major redesign or a little help.

For newer or smaller enterprises, it may be relatively easy to modify applications to be compatible with FIDO or OpenID Connect. However, for larger enterprises this problem is significant because the bulk of their mission-critical apps may need to be modified, and this may not be financially feasible. As a result, while newer applications are built with passwordless authentication mechanisms, they are addressing only a subset of enterprise applications, networks, and environments.

An effective security system needs to cover all an organization's digital assets. If not, the bad guys will always find the weakest link. Only through a holistic approach can enterprises solve the biggest pain points in identity security by replacing the need for passwords with a single passwordless sign-on procedure for everything in our digital world.

Identity Security Pain Points and What Can Be Done

Sumedh Thakar, CEO of Qualys, explains how moving to a cloud-based asset management platform can simplify their strategies and improve overall security.

Siloed security solutions often don’t improve security or reduce risk. Sumedh Thakar, CEO of Qualys, explains how moving to a cloud-based asset management platform can simplify their strategies and improve overall security. With cybersecurity spending topping $150 billion annually, customers are looking for more improvement and better results, Thakar adds. He also addresses how to deal with network complexity in an era of cloud computing, the Internet of Things, and a personnel shortage.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

How Qualys Reduces Risk and Enables Tool Consolidation

What happens when businesses' smart devices break? CSOs have things to fix beyond security holes.

So many everyday items in the developed world are now connected to the Internet, often inexplicably. It adds another layer of potential technology failure that for personal appliances can be something of an amusing annoyance: blinds that won't open, microwaves that don't adjust for time changes, refrigerators that need firmware updates.

But in the enterprise, when Internet of Things devices fail, it's no Twitter-thread joke. Factory assembly lines grind to a halt. Heart-rate monitors in hospitals switch offline. Elementary school smart boards go dark.

Smart device failures are an increasing risk in the enterprise world, and not just because of the oft-discussed security worries. It's because some of these devices' root certificates — necessary for them to connect to the Internet securely — are expiring.

"Devices need to know what to trust, so the root certificate is built into the device as an authentication tool," explains Scott Helme, a security researcher who has written extensively about the root certificate expiration issue. "Once the device is in the wild it tries to call 'home' — an API or manufacturer's server — and it checks against this root certificate to say, 'Yes, I'm connecting to this correct secure thing.' Essentially \[a root certificate is\] a trust anchor, a frame of reference for the device to know what it's speaking to."

In practice this authentication is like a web or a chain. Certificate authorities (CAs) issue all kinds of digital certificates, and the entities "talk" to each other, sometimes with multiple levels. But the first and most core link of this chain is always the root certificate. Without it, none of the levels above could make the connections possible. So if a root certificate stops working, the device can't authenticate the connection and won't link to the Internet.

Here's the problem: The concept of the encrypted Web developed around 2000 — and root certificates tend to be valid for about 20 to 25 years. In 2022, then, we're smack in the middle of that expiration period.

The CAs have issued plenty of new root certificates in the last two-plus decades, of course, well ahead of expirations. That works well in the personal device world, where most people frequently upgrade to new phones and click to update their laptops, so they would have these newer certs. But in the enterprise, it can be far more challenging or even impossible to update a device — and in sectors like manufacturing, machines may indeed still be on the factory floor 20 to 25 years later.

Without an Internet connection, "these devices aren't worth a thing," says Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, provider of machine identity management services. "They essentially become bricks \[when their root certs expire\]: They can't trust the cloud anymore, can't take commands, can't send data, can't take software updates. That's a real risk, particularly if you're a manufacturer or an operator of some kind."

**A Warning Shot**

The risk isn't theoretical. On September 30, a root certificate issued by the massive CA Let's Encrypt expired — and several services across the Internet broke. The expiration wasn't a surprise, as Let's Encrypt had long been warning its customers to update to a new cert.

Still, Helme wrote in a blog post 10 days before the expiration, "I'm betting a few things will probably break on that day." He was right. Some services from Cisco, Google, Palo Alto, QuickBooks, Fortinet, Auth0, and many more companies failed.

"And the weird thing about that," Helme tells Dark Reading, "is that the places using Let's Encrypt are by definition very modern — you can't just go to their website and pay your $10 and download your certificate by hand. It has to be done by a machine or via their API. These users were advanced, and it was still a really big problem. So what happens when we see \[expirations\] from the more legacy CAs that have these big enterprise customers? Surely the knock-on effect will be larger."

**The Path Forward**

But with some changes, that knock-on effect doesn't have to happen, says Venafi's Bocek, who views the challenge as one of knowledge and chain of command — so he sees solutions in both awareness and early collaboration.

"I'm really excited when I see chief security officers and their teams getting involved on the manufacturer and developer level," Bocek says. "The question is not just, 'Can we develop something that is safe?' but 'Can we continue to operate it?' There's often a shared responsibility of operation on these high-value connected devices, so we need to be clear on how we're going to handle that as a business."

Similar conversations are happening in the infrastructure sector, says Marty Edwards, deputy CTO for operational technology and IoT at Tenable. He's an industrial engineer by trade who has worked with utility companies and the US Department of Homeland Security.

"Quite frankly, in the industrial space with utilities and factories, any event that leads to a production outage or loss is concerning," Edwards says. "So in these specialty circles the engineers and developers are certainly looking at the impacts \[of expiring root certificates\] and how we can fix them."

Though Edwards stresses he's "optimistic" about those conversations and the push for cybersecurity considerations during the procurement process, he believes more regulatory oversight is also needed.

"Something like a baseline standard of care that perhaps includes language on how to maintain the integrity of a certificate system," Edwards says. "There's been discussions between various standards groups and governments about traceability for mission-critical devices, for example."

As for Helme, he'd love to see enterprise machines set for updates in a way that's realistic and not arduous for the user or the manufacturer — a new certificate issued and update downloaded every five years, perhaps. But manufacturers won't be incentivized to do that unless enterprise customers push for it, he notes.

"In general, I do think that this is something the industry needs to fix," Edwards agrees. "The good news is most of these challenges aren't necessarily technological. It's more about knowing how it all works, and getting the right people and procedures in place."

Expiring Root Certificates Threaten IoT in the Enterprise

Garret O’Hara of Mimecast discusses how companies can bolster security of their Microsoft 365 and Google Workspace environments, since cloud services often add complexity.

Garret O’Hara of Mimecast discusses how companies can bolster security of their Microsoft 365 and Google Workspace environments, since cloud services often add complexity.

Dark Reading

Continuous evolution of the threat landscape increases complexity, says Garret O’Hara of Mimecast. He discusses how companies can bolster security of their Microsoft 365 and Google Workspace environments, since cloud services often add complexity. O’Hara also weighs in on how companies can strike a balance between sophistication and simplicity. And he closes with some tips on how security pros can foster their own human-centric security architected in the SOC.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Mimecast: Mitigating Risk Across a Complex Threat Landscape

Banyan Security’s Jayanth Gummaraju makes the case for why zero trust is superior to VPN technology.

Zero trust can be better thought of as “least-privileged access,” says Banyan Security’s Jayanth Gummaraju, underscoring how the policy management framework is often misunderstood, especially for non-technical professionals. And he makes the case for why zero trust is superior to VPN technology – namely, faster deployment and easier to manage. Gummaraju also advocates using a phased approach in rolling out zero trust, rather than an organization-wide flash cut.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Banyan Recommends Phased Approach When Introducing Zero Trust

DeepSurface’s Tim Morgan explains how network complexity and cloud computing have contributed to the challenge, and how automation can help.

Vulnerability management has changed dramatically in recent years, thanks to greater volume of risks. DeepSurface’s Tim Morgan explains how network complexity and cloud computing have contributed to this challenge, and how automation can help. Morgan parses automation, artificial intelligence, and machine learning, plus a few tips on how to cut through the hype. He also offers advice on how CISOs can better communicate about risk with their boards.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

DeepSurface Adds Risk-Based Approach to Vulnerability Management

Neko Papez, senior manager, cybersecurity strategy for Menlo Security, helps customers understand if they’re vulnerable to highly evasive adaptive threats (HEAT).

Neko Papez, senior manager, cybersecurity strategy for Menlo Security, helps customers understand if they’re vulnerable to highly evasive adaptive threats (HEAT).

Dark Reading

Highly evasive adaptive threats (HEAT) are used to launch ransomware and phishing attacks. Neko Papez, senior manager, cybersecurity strategy for Menlo Security, helps customers understand if they’re protected against or susceptible to such attacks. Papez also distinguishes between HEAT attacks and more run-of-the-mill threats. And he describes how security teams must adapt to handle this new category of threats.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading